MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b91be73c8fdc9e0d3f9771945bd8d6cead01382bf4b9c68fd056047c7249b8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b91be73c8fdc9e0d3f9771945bd8d6cead01382bf4b9c68fd056047c7249b8f
SHA3-384 hash: e21598bf608ad60745369fece0a434e93cf55293c462d21491f80e6e9856706cf89b2f97bb70edbcdd871d66d8f9ef75
SHA1 hash: 8760b6b9e7412e1346b5427a0e92e7399d226561
MD5 hash: 3257a90914b6dfdb338969b2a58a260a
humanhash: snake-high-papa-cola
File name:3257a90914b6dfdb338969b2a58a260a.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:5'719'552 bytes
First seen:2025-03-07 16:07:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:w4HFD2LWvXJq/8y2ccr9+MXamXXbkxvWTioIqqUt0p3CkyVulQqc/ABiJk:HcSvUMccrx9XLkqIqqUSpncDFABi
TLSH T18946338A6AF9849AF7A013745FFF01875B7B392A693C4392B4DFB16C04B1172207635B
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10522/11/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Magika pebin
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
442
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
3257a90914b6dfdb338969b2a58a260a.exe.rl.zip
Verdict:
Malicious activity
Analysis date:
2025-03-07 17:48:09 UTC
Tags:
amadey
Link:
https://app.any.run/tasks/6df94a6e-f74b-4438-b199-5e5923b92a0e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67cb1b24c668b65489bfdbe2
Tags:
autorun cobalt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Connection attempt to an infection source
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/8b91be73c8fdc9e0d3f9771945bd8d6cead01382bf4b9c68fd056047c7249b8f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/db564a8e-a267-4d53-8bd5-4c85bb71a5cd
Result
Threat name:
Amadey, LummaC Stealer, Stealc
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1631980
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to start a terminal service
Detected unpacking (changes PE section rights)
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes many files with high entropy
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1631980 Sample: mQRr8Rkorf.exe Startdate: 07/03/2025 Architecture: WINDOWS Score: 100 149 techspherxe.top 2->149 151 fostinjec.today 2->151 153 6 other IPs or domains 2->153 171 Suricata IDS alerts for network traffic 2->171 173 Found malware configuration 2->173 175 Antivirus detection for URL or domain 2->175 177 20 other signatures 2->177 11 rapes.exe 40 2->11         started        16 mQRr8Rkorf.exe 1 4 2->16         started        18 rapes.exe 2->18         started        20 4 other processes 2->20 signatures3 process4 dnsIp5 157 176.113.115.6, 49696, 49697, 49699 SELECTELRU Russian Federation 11->157 159 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 11->159 161 pulseon.top 82.115.223.119 MIDNET-ASTK-TelecomRU Russian Federation 11->161 137 C:\Users\user\AppData\Local\...\packed.exe, PE32+ 11->137 dropped 139 C:\Users\user\AppData\Local\...\bncn6rv.exe, PE32 11->139 dropped 141 C:\Users\user\AppData\Local\...\amnew.exe, PE32 11->141 dropped 147 13 other malicious files 11->147 dropped 253 Contains functionality to start a terminal service 11->253 255 Hides threads from debuggers 11->255 257 Tries to detect sandboxes / dynamic malware analysis system (registry check) 11->257 22 ADFoyxP.exe 11->22         started        26 HmngBpR.exe 12 11->26         started        28 pwHxMTy.exe 11->28         started        30 9hUDDVk.exe 11->30         started        143 C:\Users\user\AppData\Local\...\A7B94.exe, PE32 16->143 dropped 145 C:\Users\user\AppData\Local\...\3E11p.exe, PE32 16->145 dropped 259 Writes many files with high entropy 16->259 33 A7B94.exe 1 4 16->33         started        261 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->261 263 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->263 265 Maps a DLL or memory area into another process 20->265 267 Found direct / indirect Syscall (likely to bypass EDR) 20->267 35 cmd.exe 20->35         started        37 TradeHub.com 20->37         started        file6 signatures7 process8 dnsIp9 93 C:\Users\user\AppData\Local\...\Worcester.pub, data 22->93 dropped 107 36 other malicious files 22->107 dropped 185 Multi AV Scanner detection for dropped file 22->185 187 Writes many files with high entropy 22->187 39 cmd.exe 22->39         started        95 C:\Users\user\AppData\...\vcruntime140.dll, PE32 26->95 dropped 97 C:\Users\user\AppData\Local\...\msvcp140.dll, PE32 26->97 dropped 99 C:\Users\user\AppData\Local\...\SplashWin.exe, PE32 26->99 dropped 109 2 other malicious files 26->109 dropped 189 Found direct / indirect Syscall (likely to bypass EDR) 26->189 42 SplashWin.exe 26->42         started        191 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->191 193 Injects a PE file into a foreign processes 28->193 45 pwHxMTy.exe 28->45         started        48 WerFault.exe 28->48         started        169 agroecologyguide.digital 104.21.48.201 CLOUDFLARENETUS United States 30->169 101 C:\Users\user\AppData\Local\...\2R0700.exe, PE32 33->101 dropped 103 C:\Users\user\AppData\Local\...\1E08u3.exe, PE32 33->103 dropped 195 Antivirus detection for dropped file 33->195 50 1E08u3.exe 4 33->50         started        52 2R0700.exe 33->52         started        105 C:\Users\user\AppData\Local\...\uvwnwebboksg, PE32 35->105 dropped 197 Injects code into the Windows Explorer (explorer.exe) 35->197 54 conhost.exe 35->54         started        file10 signatures11 process12 dnsIp13 115 C:\Users\user\AppData\Local\Temp\...\Seat.com, PE32 39->115 dropped 56 Seat.com 39->56         started        60 cmd.exe 39->60         started        62 conhost.exe 39->62         started        68 10 other processes 39->68 117 C:\Users\user\AppData\...\vcruntime140.dll, PE32 42->117 dropped 119 C:\Users\user\AppData\...\msvcp140.dll, PE32 42->119 dropped 121 C:\Users\user\AppData\...\SplashWin.exe, PE32 42->121 dropped 123 C:\Users\user\AppData\...\DuiLib_u.dll, PE32 42->123 dropped 221 Switches to a custom stack to bypass stack traces 42->221 223 Found direct / indirect Syscall (likely to bypass EDR) 42->223 64 SplashWin.exe 42->64         started        163 fostinjec.today 104.21.112.1 CLOUDFLARENETUS United States 45->163 225 Tries to harvest and steal ftp login credentials 45->225 227 Tries to harvest and steal browser information (history, passwords, etc) 45->227 229 Tries to steal Crypto Currency Wallets 45->229 125 C:\Users\user\AppData\Local\...\rapes.exe, PE32 50->125 dropped 231 Antivirus detection for dropped file 50->231 233 Multi AV Scanner detection for dropped file 50->233 235 Detected unpacking (changes PE section rights) 50->235 243 6 other signatures 50->243 66 rapes.exe 50->66         started        165 176.113.115.7, 49688, 49698, 49700 SELECTELRU Russian Federation 52->165 167 defaulemot.run 104.21.48.1, 443, 49681, 49682 CLOUDFLARENETUS United States 52->167 237 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 52->237 239 Query firmware table information (likely to detect VMs) 52->239 241 Found many strings related to Crypto-Wallets (likely being stolen) 52->241 file14 signatures15 process16 file17 127 C:\Users\user\AppData\Local\...\TradeHub.com, PE32 56->127 dropped 129 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 56->129 dropped 131 C:\Users\user\AppData\Local\...\TradeHub.js, ASCII 56->131 dropped 133 C:\Users\user\AppData\Local\...\F, data 56->133 dropped 199 Drops PE files with a suspicious file extension 56->199 201 Writes to foreign memory regions 56->201 203 Writes many files with high entropy 56->203 205 Injects a PE file into a foreign processes 56->205 70 cmd.exe 56->70         started        73 cmd.exe 56->73         started        135 C:\Users\user\AppData\Local\Temp\353090\m, data 60->135 dropped 207 Maps a DLL or memory area into another process 64->207 209 Switches to a custom stack to bypass stack traces 64->209 211 Found direct / indirect Syscall (likely to bypass EDR) 64->211 75 cmd.exe 64->75         started        213 Multi AV Scanner detection for dropped file 66->213 215 Detected unpacking (changes PE section rights) 66->215 217 Contains functionality to start a terminal service 66->217 219 5 other signatures 66->219 signatures18 process19 file20 111 C:\Users\user\AppData\...\TradeHub.url, MS 70->111 dropped 78 conhost.exe 70->78         started        80 conhost.exe 73->80         started        82 schtasks.exe 73->82         started        113 C:\Users\user\AppData\Local\Temp\han, PE32 75->113 dropped 245 Injects code into the Windows Explorer (explorer.exe) 75->245 247 Drops PE files with a suspicious file extension 75->247 249 Uses schtasks.exe or at.exe to add and modify task schedules 75->249 251 4 other signatures 75->251 84 explorer.exe 75->84         started        89 conhost.exe 75->89         started        signatures21 process22 dnsIp23 155 185.183.32.103 WORLDSTREAMNL Netherlands 84->155 91 C:\Users\user\AppData\Local\...\Kytabo.db, DOS 84->91 dropped 179 System process connects to network (likely due to code injection or exploit) 84->179 181 Query firmware table information (likely to detect VMs) 84->181 183 Switches to a custom stack to bypass stack traces 84->183 file24 signatures25
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8b91be73c8fdc9e0d3f9771945bd8d6cead01382bf4b9c68fd056047c7249b8f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8b91be73c8fdc9e0d3f9771945bd8d6cead01382bf4b9c68fd056047c7249b8f/
Threat name:
Win32.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2025-03-07 14:34:12 UTC
File Type:
PE (Exe)
Extracted files:
78
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=roi3446i7xe6bu7zo4mulpmnntvnae4cx5fzy2h5avqeprzetohq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
error
LummaStealer
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:gcleaner family:healer family:lumma family:stealc botnet:092155 botnet:traff1 botnet:trump credential_access defense_evasion discovery dropper evasion execution loader persistence spyware stealer trojan
Link:
https://tria.ge/reports/250307-tkr3maszbw/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Runs net.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
AutoIT Executable
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Obfuscated Files or Information: Command Obfuscation
.NET Reactor proctector
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Windows security modification
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Detects Healer an antivirus disabler dropper
GCleaner
Gcleaner family
Healer
Healer family
Lumma Stealer, LummaC
Lumma family
Modifies Windows Defender DisableAntiSpyware settings
Modifies Windows Defender Real-time Protection settings
Modifies Windows Defender TamperProtection settings
Modifies Windows Defender notification settings
Stealc
Stealc family
Malware Config
C2 Extraction:
http://176.113.115.6
https://defaulemot.run/api
https://begindecafer.world/api
https://garagedrootz.top/api
https://modelshiverd.icu/api
https://arisechairedd.shop/api
https://fcatterjur.run/api
https://orangemyther.live/api
https://fostinjec.today/api
https://6sterpickced.digital/api
https://dawtastream.bet/api
https://foresctwhispers.top/api
https://tracnquilforest.life/api
https://xcollapimga.fun/api
https://strawpeasaen.fun/api
https://jquietswtreams.life/api
https://starrynsightsky.icu/api
https://earthsymphzony.today/api
https://xexarthynature.run/api
https://hardswarehub.today/api
https://gadgethgfub.icu/api
https://shardrwarehaven.run/api
https://techmindzs.live/api
https://bcodxefusion.top/api
https://quietswtreams.life/api
https://techspherxe.top/api
https://9garagedrootz.top/api
https://catterjur.run/api
https://sterpickced.digital/api
https://nebdulaq.digital/api
https://acatterjur.run/api
http://45.93.20.28
https://exarthynature.run/api
Verdict:
Malicious
Tags:
stealer redline
YARA:
detect_Redline_Stealer
Link:
https://app.threat.zone/submission/679445ed-ae06-4274-afff-bdb230cd9f2b
Unpacked files
SH256 hash:
8b91be73c8fdc9e0d3f9771945bd8d6cead01382bf4b9c68fd056047c7249b8f
MD5 hash:
3257a90914b6dfdb338969b2a58a260a
SHA1 hash:
8760b6b9e7412e1346b5427a0e92e7399d226561
Link:
https://www.unpac.me/results/095d0828-0f1c-45f9-bed9-7f205698132b/
SH256 hash:
09bc8997d63fe995b0c57e9b8f988f4d20b514a9d2dfa3d926790d41e94caa4c
MD5 hash:
f9850ac81e05a25ccee6450431964a33
SHA1 hash:
3be80bd3b69da57bc67b079b66bc9833c9b713a3
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/095d0828-0f1c-45f9-bed9-7f205698132b/
SH256 hash:
2bd6140fb3bfc1450e8be3c25ea6e58fc843549aeb85d9ca95daf32e06c576ad
MD5 hash:
34c2dbbc6f76cf25be0e81dcab86ef2c
SHA1 hash:
46188b654c5b7b9f7007083800eece06c5f52e11
Link:
https://www.unpac.me/results/095d0828-0f1c-45f9-bed9-7f205698132b/
SH256 hash:
15104daae196573317ad93a014a2bb307c36cbd50718d9afccb4c16d0e20371f
MD5 hash:
56a243792bddb48258d14a5d0d23813c
SHA1 hash:
af4e354903632c4071e00c7f280995c16f76b4e7
Detections:
stealc
Create hunting rule
Link:
https://www.unpac.me/results/095d0828-0f1c-45f9-bed9-7f205698132b/
SH256 hash:
366f3b7edd9fe6a764d2bf1d08afa0662600e373f1f965746dfcffc0aefd026e
MD5 hash:
3f95752bfff9447467097a83e5f42e89
SHA1 hash:
d4a83b6cd5e197271dec6bfbfb728cc5abe7b47b
Link:
https://www.unpac.me/results/095d0828-0f1c-45f9-bed9-7f205698132b/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8b91be73c8fd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8b91be73c8fdc9e0d3f9771945bd8d6cead01382bf4b9c68fd056047c7249b8f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 8b91be73c8fdc9e0d3f9771945bd8d6cead01382bf4b9c68fd056047c7249b8f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3470471/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3470476/
  
URLhaus
https://urlhaus.abuse.ch/url/3470479/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments